Matt, On Fri, May 1, 2009 at 12:57 PM, Matt Tesauro <mtesa...@gmail.com> wrote: > > Andres Riancho wrote: >> >> Aaron, >> >> On Thu, Apr 30, 2009 at 4:59 PM, Aaron Peterson >> <aa...@midnightresearch.com> wrote: >>> >>> Hello: >>> >>> On Wed, Apr 29, 2009 at 08:20:47PM -0300, Andres Riancho wrote: >>>> >>>> On Wed, Apr 29, 2009 at 7:55 PM, Robert Carr <carr.m.rob...@gmail.com> >>>> wrote: >>>>> >>>>> 1. Iterative scans of a website > > [snip] >>>>> >>>>> have everything in a state file. (application settings, data) >>>> >>>> Ok, >>> >>> Another unrelated note I have on the reporting front -- Something that >>> would be >>> nice is to be able to have more control over filtering/combining report >>> output. >>> One thing that might help would be to put a unique plugin id in each >>> vulnerability listed in the xml output file. That way I could filter out >>> an >>> entire plugin's output or more easily combine reports when needed. >>> >>> Speaking of this, is there any xslt or other way to transform the xml >>> into a >>> html or text report? >> >> In the rickybobby branch, Robert Carr is working on adding a unique >> numeric identifier to each vulnerability discovered by w3af. This will >> help you in the process of filtering, but it will take some time until >> he finishes up his work. If you want, you could send him an email and >> help him! =) > > Something occurred to me when I read this bit. Has anyone considered using > the OWASP Testing Guide's identifiers? [1] I use the Testing Guide when I > create reports since it gives a couple of benefits: > * Categories/structure already exists for almost anything you find > * Unique identifiers already exist > * Pre-made over-view descriptions to use in the report/output > * Online resource to point to for additional information
The "main" changes that Robert Carr is doing, are here: http://w3af.svn.sourceforge.net/viewvc/w3af/branches/rickybobby/core/data/vulnReferences/ If you check the XML file, you'll notice that it mostly references OWASP attack definition guide. As I said in previous emails, I think that this step is really important, and has to be totally independent of any other guide, vulnerability numbering, etc. Once we have each vulnerability that w3af detects, we will: - Link it to OWASP (Robert is doing that) - Link it to any other important reference that users may want to read - Add a long description for the vulnerability (most probably taken from OWASP attack definition project) But the first and most time consuming step is already being taken care of by Robert. > For example, a report I did yesterday included: > - - - - > Finding: Exposed Session Variables (OWASP-SM-004) > > Description: > The Session Tokens (Cookie, SessionID, Hidden Field), if exposed, will > usually enable an attacker to impersonate a victim and access the > application illegitimately. As such, it is important that they are protected > from eavesdropping at all times – particularly whilst in transit between the > Client browser and the application servers. > > Details: > (I wrote this bit) > > Further Information: > http://www.owasp.org/index.php/Testing_for_Exposed_Session_Variables_(OWASP-SM-004) > (and some other links I added) > - - - - > Since the Testing Guide is creative commons share alike [2], all you have to > do is provide attribution and you're done. I only have to write the > application specific details. Version 3 of the guide was just published and > it sure makes reporting suck less. > > [1] http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents > [2] http://creativecommons.org/licenses/by-sa/3.0/ > > -- Matt Tesauro > OWASP Live CD Project Lead > http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project > http://mtesauro.com/livecd/ - Documentation Wiki > >> >>>>> 4. Pausing a scan. I hate doing this, but sometimes you have to, >>>>> especially >>>>> when you have very restrictive scan windows. With Burp, when you are >>>>> finished you can pick up where you left off and you have only one state >>>>> file, not 1 half finished and another full etc.. >>>> >>>> I failed to understand this one, >>> >>> Being able to pause a scan would definitely be nice (but I suspect it >>> would >>> also require w3af sessions). I have a site I'm working on now that only >>> has a >>> 3 hour window per day that I can work on it. >> >> Well... you could run w3af in a vmware, and pause the vmware ;) ;) ;) ;) >> >>> HTH, >>> >>> Aaron >>> >> >> >> > -- Andrés Riancho http://www.bonsai-sec.com/ http://w3af.sourceforge.net/ ------------------------------------------------------------------------------ Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
